GeekTek: Addressing Data Threats in Seed-to-Sale Software

In the cannabis industry, a data threat can easily become a physical threat.

Cyber attacks and ransomware jeopardize not only business operations and patient privacy, but the safety of cannabis industry employees like drivers and dispensary staff.

GeekTek CEO Eric Schlissel said, “As a business owner, it does make sense to be paranoid about your data.” Based in Los Angeles, GeekTek pushes past the boundaries of a traditional IT service provider with a security-first approach.

Malicious cyber activity cost the U.S. economy between $57 billion and $109 billion in 2016, the White House Council of Economic Advisers estimated in a February 2018 report.

In January, 600 cannabis businesses experienced a cyber attack when MJ Freeway, a Colorado-based provider of seed-to-sale software, suffered a major crash. MJ Freeway is also used by government regulators in Nevada and Washington.

In statements, the company believed the attacker’s goal was to destroy rather than steal data. Mark Mermelstein, MJ Freeway’s cybersecurity lawyer, noted that the attack occurred during a local contract process, and said “You could imagine a scenario where a competitor, a bidder for this RFP, tried to disable one of the leading candidates to win this contract,” according to LA Weekly.

On Feb. 3, Washington state government’s seed-to-sale software experienced a cyber attack that gave the attacker access to cannabis products delivery routes.

The hacker “was able to gain the route information of industry manifests filed between February 1-4 and transporter vehicle information, including VIN, license plate number, and vehicle type,” according to Ganjapreneuer, which reported the issue was resolved.

Data threats like these concern cannabis business owners, who fear theft, sabotage or violence toward their own employees. Cip Paulsen, owner of Washington growing operation Grow State, said after the Leaf Data attack, “It’s a huge concern mostly for my employees. [The attackers] know where [cannabis products are] leaving from, they know it’s going over to Seattle, or Olympia, or whatever. They could possibly know how much merchandise is in there,” Paulsen told Spokane local news. “They could hijack us . . . in the middle of the night when there’s no traffic and rob and or kill people. And it not only revolves around us but it revolves around the general public.”

“Cannabis operators can easily implement the best elements of other industries which have developed strong solutions to the data security challenge,” Schlissel said.

A thought leader when it comes to protecting cannabis industry data assets, Schlissel has written for the National Association of Cannabis Businesses Insights newsletter and Cannabis Magazine, and has spoken on data security strategies in cannabis distribution and transportation at the California Cannabis Business Conference, and moderated a panel on data security at the 2017 New West Summit. In 2018, he will be speaking at the World Medical Cannabis Conference & Expo (PA), Cannabis World Congress & Business Expo (CA), and CannaGrow Expo (CA).

Schlissel talked about data threats to the cannabis industry with Cashinbis.

What was your entry point to working with cannabis businesses?

My entry point was a client pitch a few years ago – it was a local organization with no infrastructure. I did an assessment and it was kind of a mess. I became an investor in a few companies and started asking people what they were doing. We can add tremendous value to the industry as a managed IT securities firm.

This topic has become increasingly important. Up until recently, businesses weren’t paying attention to IT security. Cannabis businesses are figuring out how to be compliant with regulations, and companies are now realizing, ‘We need to scale and compete with companies that have been in the industry longer, or have scaled already.’ It’s easier to solve those problems before they happen.

What kind of data security concerns are specific to cannabis businesses?

Much like other businesses, they are primarily concerned with privacy – many of them handle patient data. They may or may not have the HIPAA data built in.

Hackers are interested in companies that deal in cash, which is common in the cannabis industry.

Security cameras are relatively accessible to the network, so people could be watching the cameras and watching their network. That’s why businesses need encryption and active firewalls. Also, this issue of cannabis businesses not slowing down enough to realize they have to form policies related to cybersecurity.

In other industries, cybersecurity often relates to the actual property. People don’t understand that investors are looking for people to protect their intellectual property, and their investment.

What special challenges are presented by seed-to-sale software?

With seed-to-sale, we’re looking at information consistency for the entirety of the life cycle. If you’re growing and need to push data off, or if you’re a lab bringing data in, it needs to be encrypted.

With track-and-trace software, businesses are working with a lot of new platforms out there that aren’t entirely secure. For example AWS [Amazon Web Services] aren’t entirely secure. Some platforms are less secure than others. At GeekTek, we can do an infrastructure ID and find the weak spots in the platform.

What are cannabis companies’ most important data assets?

Patient data is incredibly important, as is your intellectual property. Every company generates intellectual property – you need to protect the cover data. Data ends up in places you don’t need it to, like in the latest formulation for your edible.

Encrypt and protect everything. As a business owner, it does make sense to be paranoid about your data. With ransomware, you could lose everything.

How can a business know if they’ve experienced a cyber attack?

It starts with a link on an email or website. For one of our clients, the CFO got an email from the CEO saying to wire money immediately. That’s an example of spear phishing – the email was from an account that looked real. There needs to be education: every single employee at your company needs to know if an email is suspect. We provide cloud-based security for every client. If someone from tech support calls for your password, how does someone know they’re really from tech support?

In a cyber attack, documents get renamed. A document named yourword.doc could be changed to yourword.csc. If you see that, unplug everything from the power and then call people who know what they’re doing.

What’s in the future for the cannabis industry?

We’re looking forward to the industry maturing and seeing businesses flourishing. This is a very exciting time for the industry and we’re looking at opportunities for innovation across the board. We love solving problems. It’s the perfect time for us to be a part of this and see continued growth all around.

I think your sources are a bit dated. First of all, I think you’re missing a few breaches. MJF has had several more than reported. They had this happen in Nevada where patient data was all compromised. You also reported that MJF has the Nevada contract, however that was taken away from them by the state shortly after the hacks they had last year and sole-source awarded to the company Metrc, that originally won the WA contract and opted to back out. While I certainly do not discredit the notion that one of those other 7 bidders of that RFP might be a culprit, I doubt it. Based on the types of attacks and the fact that their sourcecode is LITERALLY still available on torrent sites like Pirate Bay, means this is most likely an inside job. Granted now that their source code is out there, the likeliness they will ever be secure is close to nil.

Jim MacRae

Agreed, Barry … some new source code (apparently dated 2/26/18) was posted a couple of days ago on piratebay …. looks like their problems may be persisting.